Navigation

How to Steal a Private Crypto Key Using Heartbleed

May 19, 2014

Stealing a site’s crypto key is a significant victory for a hacker or another individual or agency intent on spying on a user. It allows them to see the traffic passing between the user and the server as if it was not encrypted at all, and that means being able to steal credentials, passwords and other data as it flows through. Even worse, that hacker or spy could go back and decrypt data that they had intercepted from the server before. With the server’s private crypto key, in fact, that hacker or spy could see any data passing to or from the server.

What Happens During the Attack?

OpenSSL Betas 1.01 and 1.02 were affected by this bug. When a computer hooks up over a secure SSL/TLS connection, that connection is kept alive in these implementations by a heartbeat request. This is an exchange of data that allows the server and the computer to verify that they’re both there, essentially.

A malicious attacker sends a heartbeat request, but puts in false information about the size of that request. The actual request might only be 1 byte, for instance, but they might declare to the server that it’s much larger.

The server stores that information in memory. When it sends back a heartbeat request, it uses the information it had in memory. While it might think that the bytes included in the original request numbered, just for example, 64,000 in total, there was only 1. OpenSSL pulls information out of its memory, filling the request to the declared size and, in doing so, may actually send back the crypto key, which could be deciphered by the hacker.

This is vastly simplified, but it’s essentially how the attack works. The attacker merely tricks the OpenSSL into sending its own private crypto key and then uses that key to decipher any other information taken from the server.

How to Prevent This?

This was a software bug, which means that Heartbleed was literally written into the code of OpenSSL. This wasn’t a virus or another type of hack that introduced software onto the servers.

Most companies that use OpenSSL, including VPN companies, have patched their servers if they were affected by this bug. Not all of them were affected. To avoid being a victim of this attack yourself, make sure you change your password on any secure site you use. It may not have been affected, but it’s always better to be safe.